Re: Add ssl_(supported|shared)_groups to sslinfo

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Jacob Champion <[email protected]>
To: Dmitry Dolgov <[email protected]>
Cc: Daniel Gustafsson <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Subject: Re: Add ssl_(supported|shared)_groups to sslinfo
Date: Mon, 23 Feb 2026 11:22:22 -0800
Message-ID: <CAOYmi+k7v6hP5nM7BQdKu37TJFi-X=d7_SDswZBV5q0awxPVYg@mail.gmail.com> (raw)
In-Reply-To: <srua2tidoiztaytmxlwjfpjhntxelmxpfta4lhulvlker444yg@sf232zqm3qvs>
References: <d57duqvzkxe43oons3jkdq7pj2wacidg7qorxommri74evu3l2@4x53she7mf77>
	<[email protected]>
	<CAOYmi+nkT7rkbNd6que0wtz=epOikgBKSDR88DQ=cyNJwiUw8Q@mail.gmail.com>
	<srua2tidoiztaytmxlwjfpjhntxelmxpfta4lhulvlker444yg@sf232zqm3qvs>

On Mon, Feb 23, 2026 at 9:58 AM Dmitry Dolgov <[email protected]> wrote:
> No deep reason, it was just useful for some particular experiments and
> for gathering understanding of what's going on. Would you find it
> reasonable to have both, shared groups and the negotiated group, or
> having only the latter is strictly better?

Well, take this with a grain of salt, because I tend to use tools
other than sslinfo for TLS debugging. But it seems to me that all of
the sslinfo functions cater to facts about the current connection: the
client certificate, the cipher, the protocol version.

These new functions instead focus on what *might* have been, which
makes them kind of awkward. Maybe sslinfo should be expanded to give
us those tools as well, but I wonder if handshake debugging might be a
better fit for some debug logging on the server side. Or if there
might be an overall feature here -- "why did the negotiation behave
this way?" -- that could be better served by something that's not a
new array of sslinfo functions that have to be correlated with each
other.

(Also, while I was taking a look at ssl_extension_info(), I realized
that it's focused on certificate extensions and not protocol
extensions. It's kind of unfortunately named.)

--Jacob

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: Add ssl_(supported|shared)_groups to sslinfo
  In-Reply-To: <CAOYmi+k7v6hP5nM7BQdKu37TJFi-X=d7_SDswZBV5q0awxPVYg@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox